#https://github.com/monicahq/monica/blob/master/scripts/docker/fpm/examples/nginx/web/nginx.conf
server {
  listen 80 default_server;
  listen   [::]:80 default_server;
  server_name {{ nginx_server_name }};
  root         /srv/monicahq/public;
  index        index.php;
  charset      utf-8;

  add_header Strict-Transport-Security max-age=31536000;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header Referrer-Policy no-referrer;

# set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
  gzip on;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;


    location ^~ /storage {
        deny all;
    }

location / {
    rewrite ^ /index.php$request_uri;
}



location ~ ^/(?:index)\.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    # fastcgi_param HTTPS on;
    #Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_pass  unix:/var/run/php/php7.3-fpm.sock;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

  location /favicon.ico {
    access_log off;
    log_not_found off;
  }

location ~ ^/(?:robots.txt|security.txt) {
    allow all;
    log_not_found off;
    access_log off;
}

location = /.well-known/carddav {
    return 301 $scheme://$host/dav;
}
location = /.well-known/caldav {
    return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
    return 301 $scheme://$host/security.txt;
}

location ~ \.(?:css|js|woff2?|svg|gif|json)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    # Optional: Don't log access to assets
    access_log off;
}


location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
    try_files $uri /index.php$request_uri;
    # Optional: Don't log access to assets
    access_log off;
}


  location ~ /\.ht {
    deny all;
  }
}

